3.14 Post-connect

Post-connect in Novell ZENworks Network Access Control provides an interface where you can configure external systems, such as IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network (post-connect).

The following sections contain more information:

3.14.1 Allowing the Post-connect Service Through the Firewall

The firewall must be opened for each post-connect service that communicates with Novell ZENworks Network Access Control.

To open the firewall for your post-connect service:

Command line window

  1. Log in to the Novell ZENworks Network Access Control MS as root using SSH or directly with a keyboard.

  2. Enter the following command at the command prompt:

    iptables -I INPUT -s<host> -m tcp -p tcp --dport 61616 -j ACCEPT

    Where <host> is the external server IP address.

3.14.2 First Time Selection

The first time you select the Post-connect menu option, you are prompted to configure your external system:

Home>>Post-connect

Figure 3-40 Post-connect Configuration Message

Configure your post-connect system as described in Section 3.14.4, Configuring a Post-connect System. Then launch your post-connect system as described in Section 3.14.5, Launching Post-connect Systems.

3.14.3 Setting Novell ZENworks Network Access Control Properties

Most Novell ZENworks Network Access Control properties are set by default. To change or set properties, you must change the properties as described in Section 16.5.10, Changing Properties.

You must set the following properties for <product name variable> to communicate with your external post-connect server (see Section A.0, Configuring the Post-connect Server):

  • Compliance.ActiveMQJMSProvider.url=ssl\://0.0.0.0\:61616

  • Compliance.JMSProvider.UserName=<username>

  • Compliance.JMSProvider.Password=<password>

Where:

<username> is the user name you use to log in to the external post-connect server.

<password> is the password you use to log in to the external post-connect server.

3.14.4 Configuring a Post-connect System

To configure an external post-connect system:

Home>>System configuration>>Post-connect

Figure 3-41 System Configuration, Post-connect

  1. Enter the name of your post-connect service in the Service name text field. This is the name used in the Post-connect and Endpoint activity windows. For example, Strata Guard.

  2. Enter the URL of the post-connect service in the Service URL text field. If you are using Strata Guard™ as your post-connect service, enter the URL of your Strata Guard manager. When the post-connect configuration is complete, you will be able to launch this URL from the Novell ZENworks Network Access Control Post-connect window.

    For example, https://192.168.40.15/index.jsp.

  3. Select the Automatically log into service check box to log into the post-connect service automatically when it is launched by clicking the post-connect service name on the Novell ZENworks Network Access Control Post-connect window (Home>>Post-connect).

    1. Enter the user name of the account to be used for logging into the post-connect service in the User name text field.

    2. Enter the password of the account to be used for logging into the post-connect service in the Password text field.

    3. To help confirm accuracy, enter the same password you entered into the Password text field in the Re-enter password text field.

  4. Select the Notify administrators when a post-connect service quarantines an endpoint check box if you want administrators to be notified when a post-connect service quarantines an endpoint. Notifications will be sent by email from the enforcement cluster quarantining the endpoint in accordance with its notifications settings.

  5. Click ok to save your changes and return to the Home window.

3.14.5 Launching Post-connect Systems

After you have configured a post-connect system, you must launch it before Novell ZENworks Network Access Control can communicate with it.

To launch a post-connect system:

Home>>Post-connect

Figure 3-42 Post-connect Launch Window

  1. Click on the post-connect system name. A new browser window opens.

  2. If you have not elected to automatically log in to this external system (see Step 3 above), you will be presented with that system’s login window.

3.14.6 Post-connect in the Endpoint Activity Window

When an external service requests that an endpoint be quarantined, it sends the request to Novell ZENworks Network Access Control, which quarantines the endpoint based on the hierarchy rules described in Section 7.1, Endpoint Quarantine Precedence.

The icons on the Endpoint activity window show that the endpoint is quarantined by an external service. When you hover the cursor over the icon, the quarantine details are presented in a pop-up window:

Figure 3-43 Post-connect Quarantine Details

3.14.7 Adding Post-connect System Logos and Icons

The post-connect logo that appears in the mouseover help (see Figure 3-43), and the icon that appears in the Endpoint activity window is the logo for your post-connect system. If you have more than one post-connect system, you will see more than one logo and more than one icon.

You can use your own custom logos and icons for your post-connect service.

To change the mouseover logo and icons:

Command line window

  1. Create logo and icon files in the following formats and approximate sizes:

    • JPG
    • GIF
    • PNG

    Logo file — approximately 154 pixels wide x 24 pixels high

    Icon file — approximately 18 x 18 pixels

  2. Copy the logo and icon files to the following directory on the Novell ZENworks Network Access Control MS (see Section 1.9, Copying Files):

    /usr/local/nac/webapps/ROOT/images

  3. Log in to the Novell ZENworks Network Access Control MS as root using SSH or directly with a keyboard.

  4. Modify the following properties in the nac-ms.properties file (see Section 16.5.10, Changing Properties):

    Compliance.PostConnect.Agents.<PRODUCTID>.Logo=<Logo filename> 
Compliance.PostConnect.Agents.<PRODUCTID>.Icon=<Icon filename> 
Compliance.PostConnect.Agents.<PRODUCTID>.Name=<Friendly Product Name>

    Where:

    <PRODUCTID> is the identifier for the post-connect service. For example, PostConnectServiceName

    <Logo filename> is the name of the logo file. For example, logo_post_connect.gif

    <Icon filename> is the name of the icon file. For example, icon_quarantined_post_connect.png

    <Friendly Product Name> is a user-friendly name for the post-connect service. For example, MyCompany PostConnectServiceName

  5. Modify the <PRODUCTID> in the connector.properties file (see Section 16.5.10, Changing Properties):

    product=PostConnectServiceName